blockhole'd IP receiving referral?

Niobos niobos at
Sun Dec 20 10:22:39 UTC 2009

On 19 Dec 2009, at 16:11, Fr34k wrote:
> Hello,
> Chris, I believe you are correct. That is, "blackhole applies to the  
> sending of queries in addition to the receiving of queries".
> Let me explain.
> I discovered this the hard way. I had a /24 in the blackhole because  
> it contained abusive clients. Within this /24 sat two legitimate  
> authoritative name servers (ANS). Our clients could not get  
> responses from these ANS servers because they were within the /24  
> blackhole.
> The solution was to make an exception for these two ANS servers.  
> This is fine in that the blackhole function is doing its job well!
> However, we have a few /16s among our blackhole networks and to  
> manage an exception list of legitimate ANS servers contained within  
> will be unmanageable.
> So, how to stop the abuse without impacting legitimate client queries?
> I think the solution here would be to permit "allow-recursion  
> ( mynets;)" clients to query and get responses from "blackhole  
> ( badnets; }" networks in some way.
> Does such a solution, or equivalent, exist? If so, can someone share?

I haven't tested this, but I think this might do what you ask for:
Remove the blackhole-statements from the config; instead add these  
rules to iptables, ipfw or equivalent:
* Allow "related or established" packets to the DNS port
* Drop incomming DNS-requests from the blackhole nets

This will basically allow replies, but drop requests.


More information about the bind-users mailing list